Guest Blogger

How employers can safeguard the workplace against data breaches

Sarah Moore is a partner at the Cleveland office of Fisher Phillips, a national management-side labor and employment law firm.

In recent years, the number of data breaches has been increasing at an alarming rate, posing a significant threat to businesses of all sizes. On average, 80-90 million cybersecurity incidents are reported annually. In 2015 alone, we saw a 35% increase in cyberattacks from the prior year, and that number is continuing to climb.

However, despite the looming threat of cyberattacks, most companies don’t have cybersecurity measures in place – leaving them vulnerable to expensive and disastrous data breaches. Beyond the cost of compliance with notification laws, a data breach can disrupt business operations, damage brand reputation and customer relations, and attract unwanted attention from government agencies. Now more than ever before, employers must know how to prevent data breaches and respond in the aftermath.

Who is at risk?

In today’s modern workplace, almost every business uses a computer network for facilitating electronic communications, housing company data, and managing the information of employees, customers, clients and vendors.

During a cyberattack, the hacker aims to steal any and all “personal information” housed in a company’s network. This information includes names, addresses, phone numbers, email addresses, bank accounts, credit card numbers and passwords. Any individuals or entities existing inside or through the network are targets – including the company itself.

Traditionally, companies relied on IT departments or consultants to detect network vulnerabilities and protect against hacker intrusion. Although that certainly worked many years ago, it’s no longer a reasonable, realistic or viable solution.

Why not? Hackers have significantly expanded their attack methods to include identifying and exploiting network vulnerabilities that exist in each stroke on the keyboard of every computer used by any person accessing the company network.

Now, companies must react to this threat by equipping all end users with cybersecurity skills so they do not unknowingly let hackers in while performing their work or as clients, vendors, or suppliers do business with them.

Cracking down on cybersecurity in the workplace

It’s no longer enough to simply maintain written policies and protocols – employers need to conduct employee training, security testing and monitoring on a regular basis in the workplace.

Most workers lack IT-specific skills or education that are crucial to knowing how networks and computers actually function. Basic to cybersecurity is a general understanding of functionality and the most critical areas of vulnerability.

Although cybersecurity certification programs exist, it’s unrealistic for companies to require all workers to be certified. Instead, employers should consider bringing on a cybersecurity professional to audit their network, meaningfully address vulnerabilities, and develop a customized training program that equips the workforce and outside end users with the skill set and resources needed to defend against hackers. Employers can also establish a cybersecurity core team to more fully integrate cybersecurity into the fabric of the company’s operations.

In addition, employee training should be done on a regular basis and include threat bulletins that alert all end users to new or potential cyberattacks. A dedicated communication stream between your cybersecurity core team and network users is key to encouraging the prompt disclosure of unusual interactions or activities on a system. Many times, these early reports of strange encounters can prevent a serious cyberattack and save the company hundreds of thousands of dollars in damage control measures.

Although it’s critical to know how to prevent and identify system vulnerabilities, employers should also have response systems for handling a cyberattack in the aftermath. These protocols and policies should be meaningful, informative and transparent, as this yields a greater likelihood for the company to effectively navigate inevitable negative financial consequences.

If there is a suspected data breach, the first course of action should be to immediately lock down a network to secure it from any “aftershocks” while the matter is investigated. The company may later be required to prove that it took prompt, reasonable steps to look into the cyberattack, attempt to retrieve and secure all information and notify the affected individuals. How a company responds to a data breach can mean the difference between consumer confidence and public distrust.